BruCON 0x0A

This talk explains how low-layer attacks against WiFi can be implemented by modifying the firmware of off-the-shelf WiFi dongles. Additionally, in this new version of the talk, we also discuss how mobile phones can be modified to carry out similar attacks.

First, we show how to give ourselves a higher throughput than normally allowed. Then we create a continuous jammer which makes the channel completely unusable for all devices. Based on this we also show how to implement a selective jammer, allowing one to jam only packets of specific clients. It’s surprising all this is possible using cheap hardware, in particular the selective jammer, since it must adhere to very strict timing constraints to timely jam the targeted frames.

Finally, we demonstrate how our low-layer attacks facilitate attacks against higher-layer protocols. In particular we use our modified firmware to implement a multi-channel man-in-the-middle attack. This can then be used to attack WPA-TKIP. In this new version of the talk we also discuss how this MitM position was used in the KRACK attacks against WPA2, and several other attacks against protected Wi-Fi networks.